Fighting Trojans like JS.Inject
Rus
Eng
Борьба с троянами типа JS.Inject

All English-language materials have been translated fully automatically using the Google service

The code and description of the fight against trojans are provided as is. You use them at your own risk

Before scanning for viruses, you need to:

1. Change access to admin, ftp\ssh, hosting

2. Make sure that the computer on which the treatment is being performed is not infected, for which you should scan the computer for viruses

3. Make a full backup of the site both through the admin panel and through the hosting control panel

4. Use solution from 1C-Bitrix to search for Trojans

5. Contact those. hosting support with a request to check the site with an antivirus. Sometimes these services are free, sometimes they cost symbolic money. Don't miss this opportunity

If you decide to find the virus yourself, then in most cases you need to:

Scroll through the bitrix\js\main\core\core.js file to the very bottom and make sure that before or after the line //# sourceMappingURL=core.js.map (~18459) there is no weird or obscure code. You may see something like:

\bs=document.createElement(`script`);s.src=atob(`ENCODED_STRING`);document.head.appendChild(s);

View the bitrix\modules\main\include\prolog.php file for unwanted code inserts or simply replace the file with a fresh one. The current file at the time of publication of the material looks like this:

<?
require_once(dirname(__FILE__)."/../bx_root.php");

if (file_exists($_SERVER["DOCUMENT_ROOT"].BX_PERSONAL_ROOT."/html_pages/.enabled"))
{
	require_once(dirname(__FILE__)."/../lib/composite/responder.php");
	Bitrix\Main\Composite\Responder::respond();
}

require_once(dirname(__FILE__)."/prolog_before.php");
require($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/include/prolog_after.php");

Scan folders and files by last modified date

This is the most effective method if you know the file structure and date of infection well. You need to enter the command in the SSH or hosting console (if it allows it). In this case, the command looks for all changed files in the last 3 days

find . –name '*.ph*' -mtime -3

Content search for malicious code

find ./ -type f -name "*.php" -exec grep -i -H "wso shell\|Backdoor\|Shell\|base64_decode\|str_rot13\|gzuncompress\|gzinflate\|strrev\|killall\|navigator.userAgent.match\|mysql_safe\|UdpFlood\|40,101,115,110,98,114,105,110\|msg=@gzinflate\|sql2_safe\|NlOThmMjgyODM0NjkyODdiYT\|6POkiojiO7iY3ns1rn8\|var vst = String.fromCharCode\|c999sh\|request12.php\|auth_pass\|shell_exec\|FilesMan\|passthru\|system\|passwd\|mkdir\|chmod\|mkdir\|md5=\|e2aa4e\|file_get_contents\|eval\|stripslashes\|fsockopen\|pfsockopen\|base64_files" {} \;

or without find

grep -R -i -H -E "wso shell|Backdoor|Shell|base64_decode|str_rot13|gzuncompress|gzinflate|strrev|killall|navigator.userAgent.match|mysql_safe|UdpFlood|40,101,115,110,98,114,105,110|msg=@gzinflate|sql2_safe|NlOThmMjgyODM0NjkyODdiYT|6POkiojiO7iY3ns1rn8|var vst = String.fromCharCode|c999sh|request12.php|auth_pass|shell_exec|FilesMan|passthru|system|passwd|mkdir|chmod|md5=|e2aa4e|file_get_contents|eval|stripslashes|fsockopen|pfsockopen|base64_files" ./

Checking the database for inserts

In the phpmyadmin database control panel, look for the following entries one by one:

<script , <? , <?php , <iframe

In case of infection through the Bitrix module vote

It is required to prohibit POST requests to the following Bitrix system files

/bitrix/tools/upload.php
/bitrix/tools/mail_entry.php
/bitrix/modules/main/include/virtual_file_system.php
/bitrix/components/bitrix/sender.mail.editor/ajax.php
/bitrix/tools/vote/uf.php
/bitrix/tools/html_editor_action.php
/bitrix/admin/site_checker.php

1. Manual editing of files. Add before required

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
	header("Status: 404 Not Found");
	die();
}

2. Ban via nginx

# breaks uploading files to IB
location /bitrix/tools/upload.php {
	if ($request_method = POST ) {
	    deny all;
	}
}

location /bitrix/tools/mail_entry.php {
	if ($request_method = POST ) {
	    deny all;
	}
}

location /bitrix/tools/vote/uf.php {
	if ($request_method = POST ) {
	    deny all;
	}
}

location /bitrix/tools/html_editor_action.php {
	if ($request_method = POST ) {
	    deny all;
	}
}

location /bitrix/admin/site_checker.php {
	if ($request_method = POST ) {
	    deny all;
	}
}

3. Via htaccess. We need a construction of the form:

<Files ~ "^(имя файлов)\.php$>
    deny from all
</Files>

For /bitrix/tools/:

<Files ~ "^(html_editor_action|mail_entry|upload)\.php$>
    deny from all
</Files>

For /bitrix/tools/vote/:

<Files ~ "^(uf)\.php$>
    deny from all
</Files>

For /bitrix/modules/main/include/:

<Files ~ "^(virtual_file_system)\.php$>
    deny from all
</Files>

For /bitrix/components/bitrix/sender.mail.editor/:

<Files ~ "^(ajax)\.php$>
    deny from all
</Files>

For /bitrix/admin/:

<Files ~ "^(site_checker)\.php$>
    deny from all
</Files>

It is recommended to use the solution only for the duration of the attacks, as part of the admin panel functionality will be unavailable. A more preferable solution is to update Bitrix to the current version or get rid of the vote

module

This solution is described here: Mass hacking of sites on 1C-Bitrix. How to protect yourself?

If viruses are detected, I strongly recommend contacting cybersecurity specialists (not me)

Comments

There are no comments yet, you can be the first to leave it

Leave a comment

The site uses a comment pre-moderation system, so your message will be published only after approval by the moderator

You are replying to a user's comment

Send

FEEDBACK

Email me

Are you developing a new service, making improvements to the existing one and want to be better than your competitors? You have come to the right place. I offer you a comprehensive studio-level website development. From me you can order design, layout, programming, development of non-traditional functionality, implementation of communication between CMS, CRM and Data Analitics, as well as everything else related to sites, except for promotion.

Contact, I will always advise on all questions and help you find the most effective solution for your business. I am engaged in the creation of sites in Novosibirsk and in other regions of Russia, I also work with the CIS countries. You will be satisfied with our cooperation

An error occurred while sending, please try again after a while
Message sent successfully

Phones

+7(993) 007-18-96

Email

info@tichiy.ru

Address

Россия, г. Москва

By submitting the form, you automatically confirm that you have read and accept the Privacy Policy site

Contact with me
Send message
By submitting the form, you automatically confirm that you have read and accept Privacy policy of site
Sending successful!
Thank you for contacting :) I will contact you as soon as possible
Sending failed
An error occurred while sending the request. Please wait and try again after a while or call my phone number